PYSEC-2026-1607

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/materialx/PYSEC-2026-1607.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1607
Aliases
Published
2026-07-07T16:02:59.500150Z
Modified
2026-07-07T17:46:15.486563719Z
Severity
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
Details

Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

Details

In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:

   InterfaceElementPtr impl = materialNodeDef->getImplementation();
            if (impl && impl->isA<NodeGraph>())
            {
                NodeGraphPtr implGraph = impl->asA<NodeGraph>();
                for (OutputPtr defOutput : materialNodeDef->getOutputs())
                {
                    if (defOutput->getType() == MATERIAL_TYPE_STRING)
                    {
                        OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
                        for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
                        {
                            ElementPtr upstreamElem = it.getUpstreamElement();
                            if (!upstreamElem)
                            {
                                it.setPruneSubgraph(true);
                                continue;
                            }
                            NodePtr upstreamNode = upstreamElem->asA<Node>();
                            if (upstreamNode && upstream

However, when defining the implGraphOutput variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.

PoC

Please download nullptr_implgraph.mtlx from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011

build/bin/MaterialXView --material nullptr_implgraph.mtlx

Impact

An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

References

Affected packages

PyPI / materialx

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.39.2
Fixed
1.39.3

Affected versions

1.*
1.39.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/materialx/PYSEC-2026-1607.yaml"